Information security tools and where to crash


Greetings to dear habravchan.
On Habrahabr, mentions of information security tools (ISS) from unauthorized access (NSD) are rather rare, according to the search. For example, at the request of Dallas, I received 26 topics and 2 questions, of all this, only one topic was mentioned specifically by the SZI from the Dallas Lock NSD of the St. Petersburg firm CONFIDENT LLC . By other means, the picture is similar. In this post I would like to share the experience of using such tools and the most common mistakes / misunderstandings when working with them.

Core tools

In our company, customers are offered three options for software and hardware information protection:

All products are approximately equal in characteristics (especially with the advent of control of USB devices in version 7.7 of Dallas Lock), the question of using a specific tool is solved either on the basis of the possibility of installation in the target system, or on the basis of the level of relations with suppliers.

By the ability to install, I understand the differences in the architecture of SPI and the requirements for the availability of hardware. For example, Dallas Lock (or NT Sentinel) intercepts computer control at the boot stage, preventing the operating system from starting until the user enters a password and presents an identifier. The difference in the implementation of this mechanism is that NT Sentinel uses a PCI expansion card for this, which must be installed inside the PC (this is optional in new versions, it was also stated in version 2.5, but it didn’t workit was easier to use another SPI). Accordingly, for example, Dallas Lock was installed on the laptop - the entire implementation of trusted boot is fully software.

Under the level of relationships with suppliers should read "the possible percentage of resale." Recently, it has been possible to convince the authorities in the points “quality of technical support”, “ease of operation”.


Almost all orders require certification of local workstations (AWS). Accordingly, online versions of security software rarely turn out to be used. In stand-alone versions, everything is simple - Secret Net is the favorite, for a very convenient, simple and intuitive setup - full integration into Windows components (snap-in consoles), clear access control. In second place is NT Sentinel - the configuration is more complex and the mechanism of mandatory access control is somewhat unobvious to users. Dallas Lock, regarding version 7.5, was used extremely rarely due to the lack of control of USB devices. With the advent of version 7.7, the situation will change - not least because of the pricing policy.

In the network version (respectively, we consider only Secret Net and Dallas Lock) the situation is the opposite. And less simple. On the one hand, the convenience of Secret Net's settings has not gone away. Yes, and embedding in Active Directory, work through the mechanisms of the OS is quite simple and understandable. On the other hand, all the features of the network version (specifically, Security Server, according to Secret Net terminology) consist of remote log collection, while the Dallas Lock security administrator workstation allows remote manipulation of all security settings for each connected client. Often this is a decisive factor in the choice of SZI. Once I had to listen to a lot of surprise and disappointment from the customer’s administrator when he saw his updated estate. Unfortunately,


Many errors arise simply due to inattention or misunderstanding of the principles of operation of a particular SIS. It is clear that a certificate / guide will save the father of Russian democracy will help in resolving the situation, but it is often easier to call the integrator of the defense system. Naturally, the problem will be fixed - but time is wasted. Both the customer and the integrator. I want to share my personal experience, which will probably help in resolving the most common user complaints.

Let's get started.

Secret net

Favorite - he is a favorite everywhere.

Many problems arise because of ignorance of the almost fundamental property of the installed SZI - all folders are always unclassified in the file system , and files with the current session secrecy level, which can be checked in the pop-up window:

Often there is a problem of inoperability of the office suite (Word, Excel). By the way, do not forget that SZI does not work with Errors can be very different, but the reason is the same for everyone - the folders necessary for official operations were not correctly configured for mandatory access control. The full list of folders is given in the documentation, and specific problems can always be diagnosed through the Secret Net log - information about any program actions appears in the log. When assigning credentials to files and folders, it should be remembered that the signature stamp of the folder should be the maximum allowable for a particular workstation, since Secret Net allows you to store any files in the folders with a signature stamp no higherfingerboard folders. Accordingly, if Microsoft Word is running in a secret session, to write autosave files, it needs the "secret" signature on a specific folder.

There are situations when the software is installed in a mode other than “not secret”. Of course, it is worth logging in and choosing a non-secret session to make it work: In the case when it is permissible to use USB flash drives on the workstation, it can be impossible to copy large amounts of data sorted into folders. Everything is the same here - the newly created folder has become unclassified, and the files automatically receive the current signature stamp. If it’s forbidden to use flash drives, then when you try to connect such a PC, it is blocked — two selected parameters set to “hard” are responsible for this:


If users constantly complain about the slow operation of the computer, and the organization uses Kaspersky Anti-Virus, you should check the version - often version 6.0.3 is incompatible with SecretNet 5.x. This is how the brakes will surely disappear:

And finally, a little fine tuning can greatly simplify the lives of users and save their nerves if you turn to the registry branch HKLM \ System \ CurrentControlSet \ Services \ SNMC5xx \ Params (for 5.x versions), where you can find two string parameters - MessageBoxSuppression (and the second -ByDir), where file extensions or folders are specified for which dialog boxes about increasing the resource privacy category will not be displayed.

Sentinel NT

To do this, problems are much less common (at least among our customers), which may indicate a more user-friendly protection mechanism.

The misunderstanding in the case of this software is due to the need to choose the level of secrecy of each application separately and the inability to delegate any rights to the standard conductor. Accordingly, if the AWP has registered USB flash drives and they are secret, an attempt to open them with an explorer will result in an access error. You should select the installed file manager by selecting the tolerance stamp corresponding to the security of the flash drive at startup.

Also, if when you open a Word / Excel document, the window for selecting the privacy label first appears, and then the window of the corresponding editor unfolds without the requested document - this is normal. You should open the file again using the office application itself.

Dallas lock

As in the case of the Sentinel, there are very few errors - the passwords did not fit, the “privacy category” parameter disappeared from the login window and the error of binding the electronic identifier.

The first error is related to the possible use of two passwords - for Dallas Lock and Windows, you can set different passwords, including random ones (for example, changing the password by the administrator). In this case, after loading the Windows Welcome window, you can enter the Dallas Lock password and click "OK" in the dialog for the mismatch between the SZI and OS password, enter the Windows user password and check the "Use in Dallas Lock" checkbox.

The second is associated with the default hidden signature box for the session neck. It happens that users forget about it - and then complain that they can’t even get to the folders with the chipboard signature stamp.

The electronic identifier may not be tied if this operation is done for the administrator, or if the used token is not suitable for the version. So, in version 7.5, eToken 64k with the eToken RTE driver are applicable. The long-standing eToken PKI will not work, as well as the eToken 72k Java, for example.


I hope this post will be useful for the community or just informative. Thanks for attention!

Also popular now: